EventsEntry deployment with minimal privileges

edited September 2014 in EventSentry [General]
I want to automatically deploy EventsEntry with minimal privileges. According to the manual there are three ways to install the EventryEntry agent: manual installation, installation through the EventsEntry Management Console and automated MSI installation.

Manual Installation is obviously not what I want. So the only options are installation through the EventsEntry Management Console and automated MSI installation.

I don't want that each user of the Management Console needs to have administrative privileges on the monitored computers. So installing the EventsEntry through the EventsEntry Management Console is not an option. Moreover, the installation through the EventsEntry Management Console can't be automated.

Therefore, the last way to install the EventsEntry agent is through the MSI installer. We can customize the installer with the exported configuration and install the MSI file through SCCM or AD. After installation there are three options for remote updates: ADMIN$ share, ES$ share and eventsentry_svc.reg. As mentioned, I want EventsEntry to have minimal privileges, so updates through ADMIN$ share is not an option. Updates through ES$ are better because I can eventsentry_upd.exe under a managed service account that has permissions to access the ES$ share.

What are the disadvantages of the ES$ share? The manual says that EventsEntry Management Console will not be able to check the agent status if it has no permission to access the ADMIN$ share. Does that mean that EventsEntry will not be able to check via the Hearbeat feature whether a remote agent crashed?

Is it possible to export the eventsentry_svc.reg file automatically, so that the ES$ would not be necessary and configuration updates could be distributed through SCCM or AD?

Comments

  • Hello Matthias,

    Sorry for the delay.

    If you do not want all of the EventSentry Management Console users to have administrative rights on remote machines, you can create an AD security group called "ES Admins" (you can call the group whatever you like) and then add the users that will be managing EventSentry to that group. Then configure the EventSentry registry key (HKEY_LOCAL_MACHINE\Software\netikus.net, or HKEY_LOCAL_MACHINE\Software\Wow6432node\netikus.net) and installation directory (C:\Program Files\EventSentry\ or C:\Program Files (x86)\EventSentry\) to have Full Access permissions granted to the "ES Admins" group. You can also grant the "ES Admins" group write access to the ES$ share of your remote computers. Lastly, you would need to click Tools > Options in the Management Console toolbar, and select the Remote Update tab. Change the Remote Share Preference drop-down to select ES$ instead of ADMIN$. Now your users can manage EventSentry and push configuration changes to the remote computers without being an administrator of the remote computers.

    To check/monitor the agent status of remote machines using the heartbeat agent, the easiest thing to do is to configure the heartbeat service to run as a domain administrator account, since no other heartbeat configuration changes are required after that. If you do not want the heartbeat service to run with domain administrator rights, first you would launch the EventSentry Management Console as the account you have chosen to run the heartbeat service with. Next, set authentication on each remote computer and provide an account that has administrative privileges to the remote computer. Close the Management Console and launch it again using a normal account instead of the heartbeat service account. This allows the heartbeat service to monitor the remote agent status while not requiring EventSentry Management Console users to have administrative rights on your remote machines. If you object to having the heartbeat service account use administrative privileges on the remote computers, you can follow the instructions in this article (http://www.eventsentry.com/kb/41) to configure the heartbeat service to run correctly without an administrative account.

    If you need to deploy or upgrade the EventSentry Agent on remote computers, you can launch the EventSentry Management Console as a user account that has administrative privileges on your remote machines, and then deploy or upgrade the agents, and the rest of the time you can use non-privileged accounts to launch the Management Console. You could also use a scheduled task in Windows Task Scheduler for eventsentry_upd.exe (http://www.eventsentry.com/documentation/help/html/?configcomputergroupsremoteupdatescripting.htm) and run the scheduled task as an account that has administrative privileges on your remote computers.

    If you deploy using an MSI through AD or SCCM, we don't recommend using an MSI deployment to upgrade the agent. Instead, please use the scheduled task for eventsentry_upd.exe to upgrade the agents.

    There is no disadvantage to using ES$ instead of ADMIN$, aside from having to make configuration changes that aren't needed when using ADMIN$.
Sign In or Register to comment.